【Mr Gateway After-sales Service】Example for Configuring Command Line Authorizati

Created: Mar 24, 2016 11:21:00Latest reply: Mar 28, 2016 15:00:37 3224 1 0 0

This example applies to all AR models of all versions.

 

Networking Requirements

As shown in Figure 1, a user accesses the network through the Router. The user belongs to the domain huawei.com and the user level is 3. The user does not need to use some level-3 commands. To implement refined management and ensure device security, configure the Router to perform command line authorization for the user through HWTACACS and record the commands executed by the user.

 

The IP address of the HWTACACS server is 10.1.6.6/24, authentication port number is 49, and authorization port number is 49.

 

Figure 1 HWTACACS-based command line authorization

 

 

Procedure

Configure the Router.

 

#                                                                        

 sysname Router                                                          

#                                                                   

hwtacacs-server template 1  //Configure an HWTACACS server template.

 hwtacacs-server authentication 10.1.6.6 weight 80  //Configure an HWTACACS authentication server.

 hwtacacs-server authorization 10.1.6.6 weight 80  //Configure an HWTACACS authorization server.

 hwtacacs-server shared-key cipher %^%#z3#CA>MtbD=>A]Ts;au$;&I!<sN~"B!++2S8'--;%^%#  //Set the shared key between router and HWTACACS server to Hello@1234.

#                                                          

aaa                                                            

 authentication-scheme sch1  //Create the authentication scheme sch1.                                    

  authentication-mode hwtacacs 

 authorization-scheme ht  //Create the authorization scheme ht.

  authorization-mode hwtacacs 

  authorization-cmd 3 hwtacacs  //Configure command line authorization for users at level 3.     

 recording-scheme scheme0  //Create the record scheme scheme0. 

  recording-mode hwtacacs 1  //Associate an HWTACACS server template with the record scheme scheme0.      

 cmd recording-scheme scheme0  //Configure scheme0 to record the commands executed on the device.

 service-scheme sch1  //Create the service scheme sch1.

  admin-user privilege level 15

 domain huawei.com   //Create the domain huawei.com.                                 

  authentication-scheme sch1  //Specify the HWTACACS authentication scheme for the users in this domain.

  authorization-scheme ht  //Specify the HWTACACS authorization scheme for the users in this domain.

  service-scheme sch1  //Specify the service scheme for the users in this domain.                        

  hwtacacs-server 1  //Specify the HWTACACS server template for the users in this domain.                      

#                                                                               

interface GigabitEthernet1/0/1                                                   

 ip address 10.1.2.10 255.255.255.0                                        

#                                                                               

interface GigabitEthernet1/0/2                                                 

 ip address 10.1.6.10 255.255.255.0                                           

#                                                                               

 telnet server enable  //Enable the Telnet server.                                 

#

user-interface maximum-vty 15  //Set the maximum number of login users on the VTY user interface to 15.             

user-interface vty 0 14                                                        

 authentication-mode aaa  //Set the authentication mode for VTY user interface to AAA.                     

#                                                                               

return

Verify the configuration.

# Choose Start > Run on your computer and enter cmd to open the cmd window. Run the telnet command and enter the user name user1@huawei.com and password Huawei@1234 to log in to the device through Telnet.

 

C:\Documents and Settings\Administrator> telnet 10.1.2.10

Username:user1@huawei.com

Password:***********

<Router>//The administrator successfully logs in to the device.

# Run the display authorization-scheme ht command. The command output shows that command line authorization is configured for level-3 users.

 

<Huawei> display authorization-scheme ht

---------------------------------------------------------------------------    

 Authorization-scheme-name               : ht                                               

 Authorization-method                    : HWTACACS                                        

 Authorization-cmd level  0              : Disabled                                       

 Authorization-cmd level  1              : Disabled                                        

 Authorization-cmd level  2              : Disabled                                       

 Authorization-cmd level  3              : Enabled  ( HWTACACS  )                   

 Authorization-cmd level  4              : Disabled                                       

 Authorization-cmd level  5              : Disabled                                       

 Authorization-cmd level  6              : Disabled                                       

 Authorization-cmd level  7              : Disabled                                       

 Authorization-cmd level  8              : Disabled                                       

 Authorization-cmd level  9              : Disabled                                       

 Authorization-cmd level 10              : Disabled                                       

 Authorization-cmd level 11              : Disabled                                       

 Authorization-cmd level 12              : Disabled                                        

 Authorization-cmd level 13              : Disabled                                       

 Authorization-cmd level 14              : Disabled                                       

 Authorization-cmd level 15              : Disabled                                       

 Authorization-cmd no-response-policy    : Online                              

---------------------------------------------------------------------------

 

Configuration Notes

The Router and HWTACACS server must use the same authentication port number.

 

The Router and HWTACACS server must use the same shared key.

 

There must be a reachable route between the Router and HWTACACS server.

  • x
  • convention:

user_2790689     Created Mar 28, 2016 15:00:37 Helpful(0) Helpful(0)

Thank you.

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top